[tor-talk] On further minimizing harassment for Tor Exit Nodes

Mon Jan 4 08:18:51 UTC 2016

On 1/2/16 10:37 PM, Moritz Bartl wrote:
>> We could trigger that if a Tor Exit operator would be able to have an
>> ExitPolicy that deny traffic going to the destination IPs of the country
>> where it's located, leading any kind of abuses to be originated because
>> of Tor Exit traffic flowing to a foreign country.
> 
> You can achieve something similar by placing your relay in a country
> other than your own, without the need of complicated rulesets.

Mmmmm ok, that's a very interesting input that trigger me to a couple of
consideration on the topic:

1st) Avoiding traffic going out to the same country where the Tor Exit
is located, is anyhow a protection measure for the Tor Relay operator

Assume the following matrix consideration:

a) I'm Italian, i run a Tor Exit in Germany, i prevent traffic from
going to Germany and Italy

b) I'm Italian, i run a Tor Exit in Germany, i prevent traffic from
going to Italy

c) I'm Italian, i run a Tor Exit in Germany, i prevent traffic from
going to Germany

d) I'm Italian, i run a Tor Exit in Germany, i do not apply any
country-specific blocks for outgoing traffic

>From my own liability/resiliency issues against takedown
GermanyAutority->GermanyISP and legal takedown ItalianAutority->Myself
the option "a" would be the best one.

So the additional security requirements / resiliency being considered at
that point becomes two different:
Z) "placing the server outside the country"
Y) "avoid traffic destinated to the country where the server is located"

It's interesting because the AS-Aware routing would try to prevent "Y",
that also means that would be still leaving an improved legal capacity
action against Tor Relay operators's ISPs, because authorities would be
able to inquiry the ISPs directly, while giving the end-user a greater
benefit for privacy (less countries to be crossed for Tor Exit traffic).

2nd) Does TorServers-like organizations run most relay in their own country?

How TorServers organizations handle those kind of consideration?

- Do they usually prefer to keep Tor Relay in their own country, because
of easier handling of possible legal threat?
- Or do they prefer to place the Tor Relays in other countries because
of the additional international cooperation requirements, leading to
better informed decisions by authorities ?

Thinking about the "Onion Italia" setup those bring to a contradicting
balance between:
- the goal also to provide good exit traffic from Italy
- minimizing the liabilities by having Italia authorities uninformed
actions against us

For us placing servers outside Italy does not enable to fullfil the goal
to provide Tor Exit traffic in Italy, but placing it in Italy would
expose to the additional legal risks of uninformed decisions by law
enforcements officers (the "wakeup at 6.00am with someone knocking the
door").

So with a "Tor Exit Policy being geographical aware for allowance or
denial of specific country destinated traffic", could enable better
"granularity" in the balancing of liability
mitigation/resiliency/deployment, enabling to run an Italian legal
entity running Italian based servers c/o Italian ISPs, but add some
level of resiliency/protection against uninformed decisions by law
enforcements.

As a research topic, it would be interesting to make a matrix of the
different deployment scenarios with parameters such as:
- "Where are the persons responsible for the legal entity"
- "Where your legal entity is located"
- "Where the server is located"
- "Which country you allow traffic to go trough"
- "Routing of requests" in different scenarios

That things, together with some MLAT database of country-country
cooperation agreements/framework, feeded to a properly written algorithm
could suggest the top/most resilient "TorServers
Organizational/Legal/Technical/Architectural setups" ?

-naif